Reading his post led me to reflect on how direly personal digital security needs improvement.
You see, most people have a mental model of their digital security like this:
But here’s reality:
You, a security consultant, wake up in medieval Europe.
You’ve been hired by a feudal lord, who has inherited a castle, some land, and a couple serfs, and is looking to secure his property. Luckily, right now, you just need to come up with a list of defensive security controls for him to put in place.
Here’s how I’d approach the problem.
Regardless of whether you work in information security, national security, physical security, or another branch of security, you’re dealing with at least one active adversary.
Security is the only field — by definition — where this is true.
In March of this year, I saw on Hacker News that Netflix had open sourced a tool called riskquant. I’d been toying with the idea of quantifying cybersecurity for a while myself.
I started with the belief that if you could assign a number, from 0 to 100, to describe how secure an organization was, where 0 is “certain to be compromised” and 100 is “impossible to be compromised”, you’d get these benefits:
The goal of risk quantification is to express cybersecurity risks using numbers, instead of qualitative labels.
By doing this, the hope is you can more easily prioritize between different security initiatives, and track changes in your risk posture at a more granular level.
Say you’d like to quantify the risks for a company.
I believe that you’ll want to identify the assets you care about, enumerate the risks to these assets, and then for each risk, assess its frequency and magnitude. See this talk to learn more.
I have a lot more blog posts like this I plan to write. If you like this, follow me on Twitter to make sure you don’t miss any.
Think about the most complex frontends you’ve used. Frontends that made you wonder — “how did they create this”?
Here are some of mine.
Many CISOs have a vague understanding of their organization’s threat landscape from reports like Verizon DBIR, previous security incidents, and threat intel.
To be fair, not understanding your attackers is probably fine. Your defenses should be based on the sophistication level of the adversaries you’re defending against. Which government, for example, is attacking you shouldn’t matter.
Still, I think most security teams would find detailed profiles of their organization’s attackers valuable. By profiles, I mean their attackers’:
Knowing “the People’s Liberation Army is targeting our customer database” would help your…
Most security tools help you either prevent, detect, or respond to attacks. Response, in my opinion, consists of containment, investigation, and remediation.
In this post, I’ll list some useful capabilities for containing, investigating, and remediating attacks.
software engineer at OpsRamp, ex-incident response consultant at Mandiant